Functions/Public/Get-URLScan.ps1
|
function Get-URLScan { <# .SYNOPSIS This function enables you to retrieve submitted scans from URLScan.io .DESCRIPTION This function enables you to retrieve submitted scans from URLScan.io .PARAMETER UUID The UUID for the results you want to retrieve. This also accepts input as 'id' and '_id' .PARAMETER Return The type of data to return. (I.e. Links/Hashes/Technologies/etc.) By default the scan results are returned in their raw format. .PARAMETER ReturnType The return type for results to be returned in. (Object / JSON) .PARAMETER APIKey The -APIKey parameter enables you to specify an API Key if you have an account with URLScan.io. This will enable higher query limits and larger page sizes. This is only necessary if your API Key has not been saved using Set-URLScanConfiguration .EXAMPLE $Scan = New-URLScan -URL 'https://bbc.co.uk' $Scan | Get-URLScan -Return Certificates Subject Issuer ValidFrom ValidTo ------- ------ --------- ------- www.bbc.com GlobalSign RSA OV SSL CA 2018 5/18/2078 5:20:51 AM 5/1/2079 12:32:58 AM www.bbc.co.uk GlobalSign ECC OV SSL CA 2018 4/12/2078 2:23:56 AM 5/14/2079 1:12:50 AM cdn.optimizely.com DigiCert TLS RSA SHA256 2020 CA1 2/16/2078 3:26:48 PM 2/21/2079 3:26:47 PM *.scorecardresearch.com Sectigo RSA Organization Validation Secure Server CA 5/28/2078 3:26:48 PM 5/29/2079 3:26:47 PM *.dotmetrics.net Amazon RSA 2048 M02 2/7/2078 3:26:48 PM 3/9/2079 3:26:47 PM *.chartbeat.com Thawte TLS RSA CA G1 10/31/2078 3:26:48 PM 11/23/2079 3:26:47 PM api-vip.bbci.co.uk GlobalSign ECC OV SSL CA 2018 10/27/2078 1:37:56 AM 11/28/2079 1:37:55 AM *.chartbeat.net Thawte TLS RSA CA G1 5/7/2078 3:26:48 PM 6/8/2079 3:26:47 PM a1.api.bbc.co.uk GlobalSign RSA OV SSL CA 2018 5/19/2078 12:07:52 AM 6/20/2079 12:07:51 AM .EXAMPLE $Scan = New-URLScan -URL 'https://bbc.co.uk' $Scan | Get-URLScan -Return Links href text ---- ---- https://www.bbc.co.uk/usingthebbc/cookies/what-do-i-need-to-know-about-cookies/ cookies https://www.bbc.co.uk/usingthebbc/cookies/how-can-i-change-my-bbc-cookie-settings/ No, take me to settings https://www.bbc.co.uk/ BBC Homepage https://www.bbc.co.uk/accessibility/ Accessibility Help https://session.bbc.com/session?lang=en-GB&ptrt=https://www.bbc.com/ Sign in https://www.bbc.co.uk/notifications Notifications https://www.bbc.co.uk/news News https://www.bbc.co.uk/sport Sport .EXAMPLE $Scan = New-URLScan -URL 'https://bbc.co.uk' $Scan | Get-URLScan -Return Cookies | ft Name Domain Path Size HTTPOnly Secure Session Expires ---- ------ ---- ---- -------- ------ ------- ------- ckns_mvt .bbc.co.uk / 44 False True False 12/5/2079 8:54:59 AM ckns_mvt .bbc.com / 44 False True False 12/5/2079 8:55:02 AM DotMetrics.DeviceKey .dotmetrics.net / 29 False True False 12/5/2079 8:55:05 AM DotMetrics.UniqueUserIdentityCookie .dotmetrics.net / 165 False True False 12/5/2079 8:55:05 AM atuserid .bbc.com / 194 False True False 1/6/2080 8:55:04 AM _cb .bbc.com / 21 False True False 1/4/2080 8:55:04 AM _chartbeat2 .bbc.com / 74 False True False 1/4/2080 8:55:04 AM _cb_svref .bbc.com / 39 False True False 12/5/2078 9:25:05 AM DM_SitId1778 www.bbc.com / 13 False True True 6/18/2024 4:57:49 PM DM_SitId1778SecId13934 www.bbc.com / 23 False True True 6/18/2024 4:57:49 PM .FUNCTIONALITY URLScan.io #> param( [Parameter( Mandatory=$true, ValueFromPipelineByPropertyName = $true )] [ValidatePattern('^\w{8}\-\w{4}\-\w{4}\-\w{4}\-\w{12}$')] [Alias('id','_id')] $UUID, [ValidateSet('Summary','Domains','Servers','Links','Page','Requests','Hashes','IPs','URLs','Countries','Cookies','Certificates','Verdicts','Technologies','TLS','GeoIP','PTR','ASNs','Wappalyzer','Umbrella')] [String]$Return, [ValidateSet('Object','JSON')] [String]$ReturnType = 'Object', [String]$APIKey ) begin { $Headers = Get-URLScanHeaders -APIKey $($APIKey) } process { try { $Results = Invoke-RestMethod -Method GET -Uri "https://urlscan.io/api/v1/result/$($UUID)/" -Headers $Headers } catch { Write-Error $_ break } if ($Results) { $Date = Get-Date Switch($Return) { 'Summary' { $ReturnProperties = @{ Property = @{n="Unique Countries";e={$_.stats.uniqCountries}}, @{n="Total Links";e={$_.stats.totalLinks}}, @{n="Total Domains";e={$_.stats.domainStats.Count}}, @{n="Server Types";e={$_.stats.serverStats.Count}}, @{n="Total IPs";e={$_.stats.ipStats.Count}}, @{n="Total URLs";e={$_.data.requests.response.response.Count}}, @{n="AdBlocked";e={$_.stats.adBlocked}}, @{n="Malicious";e={$_.stats.malicious}}, @{n="Secure Percentage";e={"$($_.stats.securePercentage)%"}} } $ResultArr = $Results | Select-Object @ReturnProperties break } 'Domains' { $ResultArr = $Results.stats.domainStats break } 'Servers' { $ResultArr = $Results.stats.serverStats break } 'Links' { $ResultArr = $Results.data.links | Select-Object href,text break } 'Page' { $ResultArr = $Results.page break } 'Requests' { $ReturnProperties = @{ Property = @{n="RequestURL";e={$_.request.url}}, @{n="Method";e={$_.request.method}}, @{n="Headers";e={$_.request.headers}}, @{n="MixedContentType";e={$_.request.mixedContentType}}, @{n="InitialPriority";e={$_.request.initialPriority}}, @{n="ReferrerPolicy";e={$_.request.referrerPolicy}}, @{n="IsSameSite";e={$_.request.isSameSite}}, @{n="DocumentURL";e={$_.documentURL}} } $ResultArr = $Results.data.requests.request | Select-Object @ReturnProperties break } 'Hashes' { $ReturnProperties = @{ Property = @{n="Type";e={$_.type}}, @{n="Size";e={$_.size}}, @{n="Hash";e={$_.hash}}, @{n="Url";e={$_.response.url}} } $ResultArr = $Results.data.requests.response | Select-Object @ReturnProperties break } 'IPs' { $ResultArr = $Results.stats.ipStats break } 'URLs' { $ReturnProperties = @{ Property = @{n="URL";e={$_.url}}, @{n="Status";e={$_.status}}, @{n="MimeType";e={$_.mimeType}}, @{n="Charset";e={$_.charset}}, @{n="Remote IP";e={$_.remoteIPAddress}}, @{n="Remote Port";e={$_.remotePort}} } $ResultArr = $Results.data.requests.response.response | Select-Object @ReturnProperties break } 'Countries' { $ResultArr = $Results.lists | Select-Object countries break } 'Cookies' { $ReturnProperties = @{ Property = @{n="Name";e={$_.name}}, @{n="Domain";e={$_.domain}}, @{n="Path";e={$_.path}}, @{n="Size";e={$_.size}}, @{n="HTTPOnly";e={$_.httpOnly}}, @{n="Secure";e={$_.secure}}, @{n="Session";e={$_.session}}, @{n="Expires";e={($Date).AddSeconds($_.expires)}} } $ResultArr = $Results.data.cookies | Select-Object @ReturnProperties break } 'Certificates' { $ReturnProperties = @{ Property = @{n="Subject";e={$_.subjectName}}, @{n="Issuer";e={$_.issuer}}, @{n="ValidFrom";e={($Date).AddSeconds($_.validFrom)}}, @{n="ValidTo";e={($Date).AddSeconds($_.validTo)}} } $ResultArr = $Results.lists.certificates | Select-Object @ReturnProperties break } 'Verdicts' { $ReturnProperties = @{ Property = @{n="UUID";e={$_.task.uuid}}, @{n="Time";e={$_.task.time}}, @{n="URL";e={$_.task.url}}, @{n="OverallMalicious";e={$_.verdicts.overall.malicious}}, @{n="OverallScore";e={$_.verdicts.overall.score}}, @{n="OverallBrands";e={$($_.verdicts.overall.brands) -join ','}}, @{n="OverallTags";e={$($_.verdicts.overall.tags + $_.verdicts.overall.categories) -join ','}}, @{n="EnginesMalicious";e={$_.verdicts.engines.malicious}}, @{n="EnginesScore";e={$_.verdicts.engines.score}}, @{n="EnginesBrands";e={$($_.verdicts.engines.brands) -join ','}}, @{n="EnginesTags";e={$($_.verdicts.engines.tags + $_.verdicts.engines.categories) -join ','}}, @{n="URLScanMalicious";e={$_.verdicts.urlscan.malicious}}, @{n="URLScanScore";e={$_.verdicts.urlscan.score}}, @{n="URLScanBrands";e={$($_.verdicts.urlscan.brands) -join ','}}, @{n="URLScanTags";e={$($_.verdicts.urlscan.tags + $_.verdicts.urlscan.categories) -join ','}}, @{n="CommunityMalicious";e={$_.verdicts.community.malicious}}, @{n="CommunityScore";e={$_.verdicts.community.score}}, @{n="CommunityBrands";e={$($_.verdicts.community.brands) -join ','}}, @{n="CommunityTags";e={$($_.verdicts.community.tags + $_.verdicts.community.categories) -join ','}} } $ResultArr = $Results | Select-Object @ReturnProperties break } 'Technologies' { $ReturnProperties = @{ Property = @{n="App";e={$_.app}}, @{n="Website";e={$_.website}}, @{n="Categories";e={$_.categories.name -join ','}}, @{n="Confidence";e={$_.confidenceTotal}} } $ResultArr = $Results.meta.processors.wappa.data | Select-Object @ReturnProperties break } 'TLS' { $ResultArr = $Results.stats.tlsStats break } 'GeoIP' { $ReturnProperties = @{ Property = @{n="IP";e={$_.ip}}, @{n="Country";e={$_.geoip.country}}, @{n="City";e={$_.geoip.city}}, @{n="LonLat";e={$_.geoip.ll}}, @{n="Region";e={$_.geoip.region}}, @{n="Timezone";e={$_.geoip.timezone}} } $ResultArr = $Results.meta.processors.geoip.data | Select-Object @ReturnProperties break } 'PTR' { $ResultArr = $Results.meta.processors.rdns.data break } 'ASNs' { $ResultArr = $Results.meta.processors.asn.data break } 'Wappalyzer' { $ResultArr = $Results.meta.processors.wappa.data break } 'Umbrella' { $ResultArr = $Results.meta.processors.umbrella.data break } default { $ResultArr = $Results $ResultArr | Add-Member -MemberType NoteProperty -Name "uuid" -Value $Results.task.uuid } } Switch($ReturnType) { 'Object' { return $ResultArr } 'JSON' { return $($ResultArr | ConvertTo-Json -Depth 10) } } } } } |